From 7d9658af53286a0117e1d5abc990ec37950dcd82 Mon Sep 17 00:00:00 2001
From: zeroc <21371284@buaa.edu.cn>
Date: Thu, 13 Jun 2024 05:46:59 +0000
Subject: [PATCH] SUNRPC: Fix loop termination condition in
 gss_free_in_token_pages()

ANBZ: #9303

commit 4a77c3dead97339478c7422eb07bf4bf63577008 upstream

The in_token->pages[] array is not NULL terminated. This results in
the following KASAN splat:

  KASAN: maybe wild-memory-access in range [0x04a2013400000008-0x04a201340000000f]

Fixes: bafa6b4d95d9 ("SUNRPC: Fix gss_free_in_token_pages()")
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: zeroc <21371284@buaa.edu.cn>
---
 net/sunrpc/auth_gss/svcauth_gss.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index f5111d62972d..24a7f69e0756 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1160,7 +1160,7 @@ static int gss_read_proxy_verf(struct svc_rqst *rqstp,
 		return SVC_DENIED;
 
 	pages = DIV_ROUND_UP(inlen, PAGE_SIZE);
-	in_token->pages = kcalloc(pages, sizeof(struct page *), GFP_KERNEL);
+	in_token->pages = kcalloc(pages + 1, sizeof(struct page *), GFP_KERNEL);
 	if (!in_token->pages)
 		return SVC_DENIED;
 	in_token->page_base = 0;
-- 
Gitee